#securitychaosengineering — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #securitychaosengineering, aggregated by home.social.
-
Want to watch a video that makes lessons from Kelly Shortridge and Aaron Rinehart's "Security Chaos Engineering" book sink in? This video by Kyle Hill on the Three Mile Island disaster is it. Learn what a "Normal Accident" is. Bonus: it's an entertaining video about a misunderstood nuclear disaster. https://youtu.be/cL9PsCLJpAA?si=zHf6FE_DUoPbatjS
@shortridge #ChaosEngineering #SecurityChaosEngineering #InfoSec
-
Want to watch a video that makes lessons from Kelly Shortridge and Aaron Rinehart's "Security Chaos Engineering" book sink in? This video by Kyle Hill on the Three Mile Island disaster is it. Learn what a "Normal Accident" is. Bonus: it's an entertaining video about a misunderstood nuclear disaster. https://youtu.be/cL9PsCLJpAA?si=zHf6FE_DUoPbatjS
@shortridge #ChaosEngineering #SecurityChaosEngineering #InfoSec
-
Want to watch a video that makes lessons from Kelly Shortridge and Aaron Rinehart's "Security Chaos Engineering" book sink in? This video by Kyle Hill on the Three Mile Island disaster is it. Learn what a "Normal Accident" is. Bonus: it's an entertaining video about a misunderstood nuclear disaster. https://youtu.be/cL9PsCLJpAA?si=zHf6FE_DUoPbatjS
@shortridge #ChaosEngineering #SecurityChaosEngineering #InfoSec
-
Want to watch a video that makes lessons from Kelly Shortridge and Aaron Rinehart's "Security Chaos Engineering" book sink in? This video by Kyle Hill on the Three Mile Island disaster is it. Learn what a "Normal Accident" is. Bonus: it's an entertaining video about a misunderstood nuclear disaster. https://youtu.be/cL9PsCLJpAA?si=zHf6FE_DUoPbatjS
@shortridge #ChaosEngineering #SecurityChaosEngineering #InfoSec
-
Want to watch a video that makes lessons from Kelly Shortridge and Aaron Rinehart's "Security Chaos Engineering" book sink in? This video by Kyle Hill on the Three Mile Island disaster is it. Learn what a "Normal Accident" is. Bonus: it's an entertaining video about a misunderstood nuclear disaster. https://youtu.be/cL9PsCLJpAA?si=zHf6FE_DUoPbatjS
@shortridge #ChaosEngineering #SecurityChaosEngineering #InfoSec
-
i am looking forward to this webinar with Kennedy Torkura, to discuss cloud security and security chaos engineering. Kennedy and I chat regularly and that has been so fun we thought we let you in on the conversation.
Join us Oct 17th
#cloudsecurity #securitychaosengineering #cybersecurity
https://www.mitigant.io/webinar/innovating-cloud-native-cyber-resilience#about-the-webinar -
i am looking forward to this webinar with Kennedy Torkura, to discuss cloud security and security chaos engineering. Kennedy and I chat regularly and that has been so fun we thought we let you in on the conversation.
Join us Oct 17th
#cloudsecurity #securitychaosengineering #cybersecurity
https://www.mitigant.io/webinar/innovating-cloud-native-cyber-resilience#about-the-webinar -
i am looking forward to this webinar with Kennedy Torkura, to discuss cloud security and security chaos engineering. Kennedy and I chat regularly and that has been so fun we thought we let you in on the conversation.
Join us Oct 17th
#cloudsecurity #securitychaosengineering #cybersecurity
https://www.mitigant.io/webinar/innovating-cloud-native-cyber-resilience#about-the-webinar -
i am looking forward to this webinar with Kennedy Torkura, to discuss cloud security and security chaos engineering. Kennedy and I chat regularly and that has been so fun we thought we let you in on the conversation.
Join us Oct 17th
#cloudsecurity #securitychaosengineering #cybersecurity
https://www.mitigant.io/webinar/innovating-cloud-native-cyber-resilience#about-the-webinar -
i am looking forward to this webinar with Kennedy Torkura, to discuss cloud security and security chaos engineering. Kennedy and I chat regularly and that has been so fun we thought we let you in on the conversation.
Join us Oct 17th
#cloudsecurity #securitychaosengineering #cybersecurity
https://www.mitigant.io/webinar/innovating-cloud-native-cyber-resilience#about-the-webinar -
I am a big fan of @shortridge 's Security Chaos Engineering and posted this not-really-a-review, explaining why:
-
I am a big fan of @shortridge 's Security Chaos Engineering and posted this not-really-a-review, explaining why:
-
I am a big fan of @shortridge 's Security Chaos Engineering and posted this not-really-a-review, explaining why:
-
I am a big fan of @shortridge 's Security Chaos Engineering and posted this not-really-a-review, explaining why:
-
I am a big fan of @shortridge 's Security Chaos Engineering and posted this not-really-a-review, explaining why:
-
just finished #SecurityChaosEngineering (the book)
review blog coming soon but in the meantime, go get it
https://kellyshortridge.com/book.html
Euros tell me it is getting released May 16 over there
-
just finished #SecurityChaosEngineering (the book)
review blog coming soon but in the meantime, go get it
https://kellyshortridge.com/book.html
Euros tell me it is getting released May 16 over there
-
just finished #SecurityChaosEngineering (the book)
review blog coming soon but in the meantime, go get it
https://kellyshortridge.com/book.html
Euros tell me it is getting released May 16 over there
-
just finished #SecurityChaosEngineering (the book)
review blog coming soon but in the meantime, go get it
https://kellyshortridge.com/book.html
Euros tell me it is getting released May 16 over there
-
just finished #SecurityChaosEngineering (the book)
review blog coming soon but in the meantime, go get it
https://kellyshortridge.com/book.html
Euros tell me it is getting released May 16 over there
-
#SecurityChaosEngineering is filled with gems like this:
Despite the empirical evidence, infosec folk wisdom says that descriptive error messages are pestiferous because attackers can learn things from the message that assist their operation. Sure, and using the internet facilitates attacks - should we avoid it too?
-
#SecurityChaosEngineering is filled with gems like this:
Despite the empirical evidence, infosec folk wisdom says that descriptive error messages are pestiferous because attackers can learn things from the message that assist their operation. Sure, and using the internet facilitates attacks - should we avoid it too?
-
#SecurityChaosEngineering is filled with gems like this:
Despite the empirical evidence, infosec folk wisdom says that descriptive error messages are pestiferous because attackers can learn things from the message that assist their operation. Sure, and using the internet facilitates attacks - should we avoid it too?
-
#SecurityChaosEngineering is filled with gems like this:
Despite the empirical evidence, infosec folk wisdom says that descriptive error messages are pestiferous because attackers can learn things from the message that assist their operation. Sure, and using the internet facilitates attacks - should we avoid it too?
-
#SecurityChaosEngineering is filled with gems like this:
Despite the empirical evidence, infosec folk wisdom says that descriptive error messages are pestiferous because attackers can learn things from the message that assist their operation. Sure, and using the internet facilitates attacks - should we avoid it too?
-
I had a blast at AWS Summit Berlin last week. Here are my impressions about the event, which was a unique experience in many aspects for me, and surprisingly intimate and local
#cloudsecurity #securitychaosengineering
https://www.linkedin.com/pulse/very-european-affair-impressions-from-aws-summit-thoden-van-velzen/
-
I had a blast at AWS Summit Berlin last week. Here are my impressions about the event, which was a unique experience in many aspects for me, and surprisingly intimate and local
#cloudsecurity #securitychaosengineering
https://www.linkedin.com/pulse/very-european-affair-impressions-from-aws-summit-thoden-van-velzen/
-
I had a blast at AWS Summit Berlin last week. Here are my impressions about the event, which was a unique experience in many aspects for me, and surprisingly intimate and local
#cloudsecurity #securitychaosengineering
https://www.linkedin.com/pulse/very-european-affair-impressions-from-aws-summit-thoden-van-velzen/
-
I had a blast at AWS Summit Berlin last week. Here are my impressions about the event, which was a unique experience in many aspects for me, and surprisingly intimate and local
#cloudsecurity #securitychaosengineering
https://www.linkedin.com/pulse/very-european-affair-impressions-from-aws-summit-thoden-van-velzen/
-
I had a blast at AWS Summit Berlin last week. Here are my impressions about the event, which was a unique experience in many aspects for me, and surprisingly intimate and local
#cloudsecurity #securitychaosengineering
https://www.linkedin.com/pulse/very-european-affair-impressions-from-aws-summit-thoden-van-velzen/
-
one of my go-to phrases is:
#cloudsecurity and secure #CloudTransformation is 2% tooling, 3% skills, 5% talent and 90% organizational drama
i therefore love this following quote:
Any computer system is inherently sociotechnical - humans design, build and operate them. our architectures must reflect that. With advances in hardware, and innovation like infrastructure-as-a-service, the emerging (but not yet dominant) trend is for a system's computer costs to represent a smaller portion of budget than the cost of the engineers who build and maintain the system (...)
Beyond costs, organizational design strongly influences system design (and we suspect vice versa as well). Conway's Law, which states that organizations design systems that mirror their own communication structures, is difficult to fight. When designing a system and allocating your Effort Investment Portfolio, it's important to consider not only the system architecture, but also the structure of the teams that would build, operate, and use the system.
-
one of my go-to phrases is:
#cloudsecurity and secure #CloudTransformation is 2% tooling, 3% skills, 5% talent and 90% organizational drama
i therefore love this following quote:
Any computer system is inherently sociotechnical - humans design, build and operate them. our architectures must reflect that. With advances in hardware, and innovation like infrastructure-as-a-service, the emerging (but not yet dominant) trend is for a system's computer costs to represent a smaller portion of budget than the cost of the engineers who build and maintain the system (...)
Beyond costs, organizational design strongly influences system design (and we suspect vice versa as well). Conway's Law, which states that organizations design systems that mirror their own communication structures, is difficult to fight. When designing a system and allocating your Effort Investment Portfolio, it's important to consider not only the system architecture, but also the structure of the teams that would build, operate, and use the system.
-
one of my go-to phrases is:
#cloudsecurity and secure #CloudTransformation is 2% tooling, 3% skills, 5% talent and 90% organizational drama
i therefore love this following quote:
Any computer system is inherently sociotechnical - humans design, build and operate them. our architectures must reflect that. With advances in hardware, and innovation like infrastructure-as-a-service, the emerging (but not yet dominant) trend is for a system's computer costs to represent a smaller portion of budget than the cost of the engineers who build and maintain the system (...)
Beyond costs, organizational design strongly influences system design (and we suspect vice versa as well). Conway's Law, which states that organizations design systems that mirror their own communication structures, is difficult to fight. When designing a system and allocating your Effort Investment Portfolio, it's important to consider not only the system architecture, but also the structure of the teams that would build, operate, and use the system.
-
one of my go-to phrases is:
#cloudsecurity and secure #CloudTransformation is 2% tooling, 3% skills, 5% talent and 90% organizational drama
i therefore love this following quote:
Any computer system is inherently sociotechnical - humans design, build and operate them. our architectures must reflect that. With advances in hardware, and innovation like infrastructure-as-a-service, the emerging (but not yet dominant) trend is for a system's computer costs to represent a smaller portion of budget than the cost of the engineers who build and maintain the system (...)
Beyond costs, organizational design strongly influences system design (and we suspect vice versa as well). Conway's Law, which states that organizations design systems that mirror their own communication structures, is difficult to fight. When designing a system and allocating your Effort Investment Portfolio, it's important to consider not only the system architecture, but also the structure of the teams that would build, operate, and use the system.
-
one of my go-to phrases is:
#cloudsecurity and secure #CloudTransformation is 2% tooling, 3% skills, 5% talent and 90% organizational drama
i therefore love this following quote:
Any computer system is inherently sociotechnical - humans design, build and operate them. our architectures must reflect that. With advances in hardware, and innovation like infrastructure-as-a-service, the emerging (but not yet dominant) trend is for a system's computer costs to represent a smaller portion of budget than the cost of the engineers who build and maintain the system (...)
Beyond costs, organizational design strongly influences system design (and we suspect vice versa as well). Conway's Law, which states that organizations design systems that mirror their own communication structures, is difficult to fight. When designing a system and allocating your Effort Investment Portfolio, it's important to consider not only the system architecture, but also the structure of the teams that would build, operate, and use the system.
-
[...] SCE is all about outcomes rather than output, prefers psychological safety to ruling with an iron fist, and experiments with strategies optimized for the real world, noy an ideal security-is-the-only-priority world. The simple premise of achieving tangible outcomes rather than performing dramatic motions to give the appearance of "doing something" should be compelling to all stakeholders involved in an organization's security - from the security teams themselves to software engineering and product teams (not to mention company leadership who can start to see more tangible outcomes from the security budget).
-
[...] SCE is all about outcomes rather than output, prefers psychological safety to ruling with an iron fist, and experiments with strategies optimized for the real world, noy an ideal security-is-the-only-priority world. The simple premise of achieving tangible outcomes rather than performing dramatic motions to give the appearance of "doing something" should be compelling to all stakeholders involved in an organization's security - from the security teams themselves to software engineering and product teams (not to mention company leadership who can start to see more tangible outcomes from the security budget).
-
[...] SCE is all about outcomes rather than output, prefers psychological safety to ruling with an iron fist, and experiments with strategies optimized for the real world, noy an ideal security-is-the-only-priority world. The simple premise of achieving tangible outcomes rather than performing dramatic motions to give the appearance of "doing something" should be compelling to all stakeholders involved in an organization's security - from the security teams themselves to software engineering and product teams (not to mention company leadership who can start to see more tangible outcomes from the security budget).
-
[...] SCE is all about outcomes rather than output, prefers psychological safety to ruling with an iron fist, and experiments with strategies optimized for the real world, noy an ideal security-is-the-only-priority world. The simple premise of achieving tangible outcomes rather than performing dramatic motions to give the appearance of "doing something" should be compelling to all stakeholders involved in an organization's security - from the security teams themselves to software engineering and product teams (not to mention company leadership who can start to see more tangible outcomes from the security budget).
-
[...] SCE is all about outcomes rather than output, prefers psychological safety to ruling with an iron fist, and experiments with strategies optimized for the real world, noy an ideal security-is-the-only-priority world. The simple premise of achieving tangible outcomes rather than performing dramatic motions to give the appearance of "doing something" should be compelling to all stakeholders involved in an organization's security - from the security teams themselves to software engineering and product teams (not to mention company leadership who can start to see more tangible outcomes from the security budget).
-
If you optimize for eliminating failure, you won't be taken seriously in business settings where the clear goal is to make more money (...). Eliminating failure costs money, but introducing change - by shipping features, launching products, and other activities - makes money. Attempting to eliminate failure often costs more money than the amount lost by the failure itself. Actively investing in change is a competitive advantage; a focus on eliminating failure chokes innovation, corroding that advantage. [...]
In contrast, a security program with the safe-to-fail mindset can accept surprises, minimize their impact, and learn from them. It acknowledges the world is absurd and can cope with reality not being a fairy tale with easily defined and enforced "good" and "evil".
-
If you optimize for eliminating failure, you won't be taken seriously in business settings where the clear goal is to make more money (...). Eliminating failure costs money, but introducing change - by shipping features, launching products, and other activities - makes money. Attempting to eliminate failure often costs more money than the amount lost by the failure itself. Actively investing in change is a competitive advantage; a focus on eliminating failure chokes innovation, corroding that advantage. [...]
In contrast, a security program with the safe-to-fail mindset can accept surprises, minimize their impact, and learn from them. It acknowledges the world is absurd and can cope with reality not being a fairy tale with easily defined and enforced "good" and "evil".
-
If you optimize for eliminating failure, you won't be taken seriously in business settings where the clear goal is to make more money (...). Eliminating failure costs money, but introducing change - by shipping features, launching products, and other activities - makes money. Attempting to eliminate failure often costs more money than the amount lost by the failure itself. Actively investing in change is a competitive advantage; a focus on eliminating failure chokes innovation, corroding that advantage. [...]
In contrast, a security program with the safe-to-fail mindset can accept surprises, minimize their impact, and learn from them. It acknowledges the world is absurd and can cope with reality not being a fairy tale with easily defined and enforced "good" and "evil".
-
If you optimize for eliminating failure, you won't be taken seriously in business settings where the clear goal is to make more money (...). Eliminating failure costs money, but introducing change - by shipping features, launching products, and other activities - makes money. Attempting to eliminate failure often costs more money than the amount lost by the failure itself. Actively investing in change is a competitive advantage; a focus on eliminating failure chokes innovation, corroding that advantage. [...]
In contrast, a security program with the safe-to-fail mindset can accept surprises, minimize their impact, and learn from them. It acknowledges the world is absurd and can cope with reality not being a fairy tale with easily defined and enforced "good" and "evil".
-
If you optimize for eliminating failure, you won't be taken seriously in business settings where the clear goal is to make more money (...). Eliminating failure costs money, but introducing change - by shipping features, launching products, and other activities - makes money. Attempting to eliminate failure often costs more money than the amount lost by the failure itself. Actively investing in change is a competitive advantage; a focus on eliminating failure chokes innovation, corroding that advantage. [...]
In contrast, a security program with the safe-to-fail mindset can accept surprises, minimize their impact, and learn from them. It acknowledges the world is absurd and can cope with reality not being a fairy tale with easily defined and enforced "good" and "evil".
-
We can characterize the security status quo as the "fail-safe" mindset, reflective of a prevention-driven approach. The status quo in cybersecurity is to stamp out all possible vulnerabilities, "risks" or "threats" before they happen. [...] this is impossible - and a rather profligate use of an organization's resources, The "fail-safe" logic leads to a false sense of security. It does not care how the system failed or how it recovered from failure, but demonizes that it failed at all.
If we shift towards a "safe-to-fail" logic, we transform towards preparation - anticipating failures and investing effort in preparing to recover and adapt to them. Safe-to-fail seeks to understand how systems respond to adverse, changing conditions and how they fail in certain scenarios. Does the system recover with speed and grace? Are critical functions affected, or just noncritical ones?
-
We can characterize the security status quo as the "fail-safe" mindset, reflective of a prevention-driven approach. The status quo in cybersecurity is to stamp out all possible vulnerabilities, "risks" or "threats" before they happen. [...] this is impossible - and a rather profligate use of an organization's resources, The "fail-safe" logic leads to a false sense of security. It does not care how the system failed or how it recovered from failure, but demonizes that it failed at all.
If we shift towards a "safe-to-fail" logic, we transform towards preparation - anticipating failures and investing effort in preparing to recover and adapt to them. Safe-to-fail seeks to understand how systems respond to adverse, changing conditions and how they fail in certain scenarios. Does the system recover with speed and grace? Are critical functions affected, or just noncritical ones?
-
We can characterize the security status quo as the "fail-safe" mindset, reflective of a prevention-driven approach. The status quo in cybersecurity is to stamp out all possible vulnerabilities, "risks" or "threats" before they happen. [...] this is impossible - and a rather profligate use of an organization's resources, The "fail-safe" logic leads to a false sense of security. It does not care how the system failed or how it recovered from failure, but demonizes that it failed at all.
If we shift towards a "safe-to-fail" logic, we transform towards preparation - anticipating failures and investing effort in preparing to recover and adapt to them. Safe-to-fail seeks to understand how systems respond to adverse, changing conditions and how they fail in certain scenarios. Does the system recover with speed and grace? Are critical functions affected, or just noncritical ones?
-
We can characterize the security status quo as the "fail-safe" mindset, reflective of a prevention-driven approach. The status quo in cybersecurity is to stamp out all possible vulnerabilities, "risks" or "threats" before they happen. [...] this is impossible - and a rather profligate use of an organization's resources, The "fail-safe" logic leads to a false sense of security. It does not care how the system failed or how it recovered from failure, but demonizes that it failed at all.
If we shift towards a "safe-to-fail" logic, we transform towards preparation - anticipating failures and investing effort in preparing to recover and adapt to them. Safe-to-fail seeks to understand how systems respond to adverse, changing conditions and how they fail in certain scenarios. Does the system recover with speed and grace? Are critical functions affected, or just noncritical ones?
-
We can characterize the security status quo as the "fail-safe" mindset, reflective of a prevention-driven approach. The status quo in cybersecurity is to stamp out all possible vulnerabilities, "risks" or "threats" before they happen. [...] this is impossible - and a rather profligate use of an organization's resources, The "fail-safe" logic leads to a false sense of security. It does not care how the system failed or how it recovered from failure, but demonizes that it failed at all.
If we shift towards a "safe-to-fail" logic, we transform towards preparation - anticipating failures and investing effort in preparing to recover and adapt to them. Safe-to-fail seeks to understand how systems respond to adverse, changing conditions and how they fail in certain scenarios. Does the system recover with speed and grace? Are critical functions affected, or just noncritical ones?